Bug #16307: Broken Tor Browser on Buster: terminates when opening a file dialog

Bug #16307

Broken Tor Browser on Buster: terminates when opening a file dialog

Added by CyrilBrulebois 2019-01-06 02:51:52 . Updated 2019-01-07 13:33:32 .

Status:

Resolved

Priority:

Elevated

Assignee:

Category:

Target version:

Tails_4.0

Start date:

2019-01-06

Due date:

% Done:

100%

Feature Branch:

Type of work:

Code

Blueprint:

Starter:

Affected tool:

Browser

Deliverable for:

Description

Seen on <https://paste.debian.net/>, clicking the “Browse” button leads to this for tor-browser, with two extra lines for clarity:

--- Startup messages ---
Fontconfig warning: "/usr/local/lib/tor-browser/TorBrowser/Data/fontconfig/fonts.conf", line 85: unknown element "blank"
1546742616883   addons.webextension.{73a6fe31-595d-460b-a920-fcc0f8843232}  WARN    Loading extension '{73a6fe31-595d-460b-a920-fcc0f8843232}': Reading manifest: Error processing background.persistent: Event pages are not currently supported. This will run as a persistent background page.
Fontconfig warning: "/usr/local/lib/tor-browser/TorBrowser/Data/fontconfig/fonts.conf", line 85: unknown element "blank"
1546742617998   addons.webextension.https-everywhere-eff@eff.org    WARN    Please specify whether you want browser_style or not in your browser_action options.
1546742617998   addons.webextension.{73a6fe31-595d-460b-a920-fcc0f8843232}  WARN    Please specify whether you want browser_style or not in your browser_action options.
1546742619405   addons.webextension.uBlock0@raymondhill.net WARN    Loading extension 'uBlock0@raymondhill.net': Reading manifest: Error processing incognito: Invalid enumeration value "split"
1546742619409   addons.webextension.uBlock0@raymondhill.net WARN    Loading extension 'uBlock0@raymondhill.net': Reading manifest: Error processing sidebar_action.open_at_install: An unexpected property was found in the WebExtension manifest.
1546742619409   addons.webextension.uBlock0@raymondhill.net WARN    Loading extension 'uBlock0@raymondhill.net': Reading manifest: Error processing storage: An unexpected property was found in the WebExtension manifest.
Fontconfig warning: "/usr/local/lib/tor-browser/TorBrowser/Data/fontconfig/fonts.conf", line 85: unknown element "blank"

--- Trying to browse ---
(firefox:13189): Gtk-CRITICAL **: 02:44:02.682: Error creating directory /home/amnesia/.config/gtk-3.0: Permission denied

(firefox:13189): Gtk-WARNING **: 02:44:02.699: Could not load a pixbuf from /org/gtk/libgtk/icons/16x16/status/image-missing.png.
This may indicate that pixbuf loaders or the mime database could not be found.
**
Gtk:ERROR:../../../../gtk/gtkiconhelper.c:494:ensure_surface_for_gicon: assertion failed (error == NULL): Failed to load /org/gtk/libgtk/icons/16x16/status/image-missing.png: Unrecognized image file format (gdk-pixbuf-error-quark, 3)
Redirecting call to abort() to mozalloc_abort

Crash Annotation GraphicsCriticalError: |[C0][GFX1-]: Receive IPC close with reason=AbnormalShutdown (t=21.8181) [GFX1-]: Receive IPC close with reason=AbnormalShutdown
[Child 13295, Chrome_ChildThread] WARNING: pipe error (3): Connection reset by peer: file /var/tmp/build/firefox-efdff96e8955/ipc/chromium/src/chrome/common/ipc_channel_posix.cc, line 353
Crash Annotation GraphicsCriticalError: |[C0][GFX1-]: Receive IPC close with reason=AbnormalShutdown (t=25.6962) [GFX1-]: Receive IPC close with reason=AbnormalShutdown
[Child 13251, Chrome_ChildThread] WARNING: pipe error (3): Connection reset by peer: file /var/tmp/build/firefox-efdff96e8955/ipc/chromium/src/chrome/common/ipc_channel_posix.cc, line 353
Segmentation fault

Meanwhile, on the dmesg -w side (with another tor-browser process):


[ 1148.939816] audit: type=1400 audit(1546742961.676:518): apparmor="DENIED" operation="mkdir" profile="torbrowser_firefox" name="/home/amnesia/.config/gtk-3.0/" pid=13327 comm="firefox.real" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
[ 1148.957485] audit: type=1400 audit(1546742961.692:519): apparmor="DENIED" operation="open" profile="torbrowser_firefox" name="/lib/live/mount/rootfs/filesystem.squashfs/usr/local/share/mime/mime.cache" pid=13327 comm="pool" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[ 1148.957490] audit: type=1400 audit(1546742961.692:520): apparmor="DENIED" operation="open" profile="torbrowser_firefox" name="/lib/live/mount/rootfs/filesystem.squashfs/usr/local/share/mime/globs2" pid=13327 comm="pool" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[ 1148.957494] audit: type=1400 audit(1546742961.692:521): apparmor="DENIED" operation="open" profile="torbrowser_firefox" name="/lib/live/mount/rootfs/filesystem.squashfs/usr/local/share/mime/magic" pid=13327 comm="pool" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[ 1148.957498] audit: type=1400 audit(1546742961.692:522): apparmor="DENIED" operation="open" profile="torbrowser_firefox" name="/lib/live/mount/rootfs/filesystem.squashfs/usr/local/share/mime/aliases" pid=13327 comm="pool" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[ 1148.957502] audit: type=1400 audit(1546742961.692:523): apparmor="DENIED" operation="open" profile="torbrowser_firefox" name="/lib/live/mount/rootfs/filesystem.squashfs/usr/local/share/mime/subclasses" pid=13327 comm="pool" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[ 1148.957505] audit: type=1400 audit(1546742961.692:524): apparmor="DENIED" operation="open" profile="torbrowser_firefox" name="/lib/live/mount/rootfs/filesystem.squashfs/usr/local/share/mime/icons" pid=13327 comm="pool" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[ 1148.957509] audit: type=1400 audit(1546742961.692:525): apparmor="DENIED" operation="open" profile="torbrowser_firefox" name="/lib/live/mount/rootfs/filesystem.squashfs/usr/local/share/mime/generic-icons" pid=13327 comm="pool" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[ 1148.957512] audit: type=1400 audit(1546742961.692:526): apparmor="DENIED" operation="open" profile="torbrowser_firefox" name="/lib/live/mount/rootfs/filesystem.squashfs/usr/share/mime/mime.cache" pid=13327 comm="pool" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[ 1148.957519] audit: type=1400 audit(1546742961.692:527): apparmor="DENIED" operation="open" profile="torbrowser_firefox" name="/lib/live/mount/rootfs/filesystem.squashfs/usr/share/mime/globs2" pid=13327 comm="pool" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

Subtasks

History

#1 Updated by intrigeri 2019-01-06 07:01:56

Status changed from New to Confirmed
Assignee set to intrigeri
Affected tool set to Browser

Thanks! I’ll take a look.

#2 Updated by intrigeri 2019-01-07 08:52:01

Interestingly, Evince is not affected and I don’t get why.

Next steps:

check if feature/16073-linux-4.19+force-all-tests is affected, i.e. is this a regression caused by Linux 4.19?
check if apparmor 2.13.2 (that migrates to testing today) fixes the problem

#3 Updated by intrigeri 2019-01-07 10:25:45

intrigeri wrote:
> * check if feature/16073-linux-4.19+force-all-tests is affected, i.e. is this a regression caused by Linux 4.19?

It’s not.

> * check if apparmor 2.13.2 (that migrates to testing today) fixes the problem

And if it does not: try on feature/buster with Stretch’s apparmor parser.

#4 Updated by intrigeri 2019-01-07 10:34:42

Subject changed from Broken tor-browser on buster: terminates when opening a file dialog to Broken Tor Browser on Buster: terminates when opening a file dialog

#5 Updated by intrigeri 2019-01-07 10:54:57

Status changed from Confirmed to In Progress
% Done changed from 0 to 10

intrigeri wrote:
> > * check if apparmor 2.13.2 (that migrates to testing today) fixes the problem
>
> And if it does not:

It does not.

> try on feature/buster with Stretch’s apparmor parser.

Downgrading to Stretch’s apparmor and libapparmor1, choosing to keep our patched conffiles when dpkg asked, fixes it. Finally some hope! Next step: figure out which one, among the parser downgrade and the policy downgrade, did the trick.

#6 Updated by intrigeri 2019-01-07 11:12:56

intrigeri wrote:
> Downgrading to Stretch’s apparmor and libapparmor1, choosing to keep our patched conffiles when dpkg asked, fixes it. Finally some hope! Next step: figure out which one, among the parser downgrade and the policy downgrade, did the trick.

On this frankenstein system:

upgrading to Buster’s AA features file: still works
overwriting the apparmor_parser binary and /lib/x86_64-linux-gnu/libapparmor.so.1* with the version from Buster: still works

=> I think some part of the policy update between Stretch and Buster breaks our alias trick, somehow. Will kinda bisect it.

#7 Updated by intrigeri 2019-01-07 12:00:26

Seems like the abstractions/freedesktop.org update, and more specifically the syntax used in the corresponding tunables/share, is the culprit.

This fixes the problem:

--- /lib/live/mount/rootfs/filesystem.squashfs/etc/apparmor.d/tunables/share    2018-09-05 16:51:53.000000000 +0000
+++ /etc/apparmor.d/tunables/share  2019-01-07 11:53:28.648000000 +0000
@@ -1,4 +1,4 @@
-@{flatpak_exports_root} = flatpak/exports flatpak/{app,runtime}/*/*/*/*/export
+@{flatpak_exports_root} = {flatpak/exports,flatpak/{app,runtime}/*/*/*/*/export}

 # System-wide directories with behaviour analogous to /usr/share
 # in patterns like the freedesktop.org basedir spec. These are

Looks like variable expansion of space-separated values works fine (e.g. in @{system_share_dirs}) but not recursively once combined with AppArmor aliases.

Will apply the policy fix in Tails and submit it upstream, where I’ll be told whether it shall be reported as a parser bug or not.

#8 Updated by intrigeri 2019-01-07 13:33:17

Status changed from In Progress to Resolved
Assignee deleted (~~intrigeri~~)
% Done changed from 10 to 100

https://gitlab.com/apparmor/apparmor/merge_requests/300

#9 Updated by intrigeri 2019-01-07 13:33:32

Priority changed from Normal to Elevated